Add Content-Security-Policy Header, fix #26

elnappo · Mar 26, 2019 · 3c7af1b · 3c7af1b
1 parent 681c38c
commit 3c7af1b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/project_novis/settings.py b/project_novis/settings.py
@@ -52,6 +52,8 @@ def bool_env(key, default=None):
     SESSION_COOKIE_SECURE = True
     CSRF_COOKIE_SECURE = True
     USE_X_FORWARDED_HOST = True
+    CSP_UPGRADE_INSECURE_REQUESTS = True
+    CSP_BLOCK_ALL_MIXED_CONTENT = True
 
 else:
     # SECURITY WARNING: keep the secret key used in production secret!
@@ -100,6 +102,7 @@ def bool_env(key, default=None):
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django_referrer_policy.middleware.ReferrerPolicyMiddleware',
+    'csp.middleware.CSPMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
@@ -153,6 +156,12 @@ def bool_env(key, default=None):
 SECURE_CONTENT_TYPE_NOSNIFF = True
 REFERRER_POLICY = 'strict-origin-when-cross-origin'
 
+# Content-Security-Policy - https://django-csp.readthedocs.io/en/latest/configuration.html
+CSP_DEFAULT_SRC = ("'self'", )
+CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", "cdnjs.cloudflare.com", "maxcdn.bootstrapcdn.com", "piwik.nerdpol.io")
+CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "maxcdn.bootstrapcdn.com", "cdnjs.cloudflare.com", "fonts.googleapis.com")
+CSP_FONT_SRC = ("'self'", "fonts.googleapis.com", "fonts.gstatic.com", "maxcdn.bootstrapcdn.com", "cdnjs.cloudflare.com")
+
 # CORS settings
 CORS_ORIGIN_ALLOW_ALL = True
 CORS_URLS_REGEX = r'^/api/.*$'
@@ -213,15 +222,20 @@ def bool_env(key, default=None):
 
 CRISPY_TEMPLATE_PACK = 'bootstrap3'
 
+DJANGO_SENTRY_DSN = os.environ.get("DJANGO_SENTRY_DSN", None)
+
 # Sentry settings
-if PRODUCTION and os.environ.get("DJANGO_SENTRY_DSN"):
+if PRODUCTION and DJANGO_SENTRY_DSN:
     sentry_sdk.init(
-        dsn=os.environ.get("DJANGO_SENTRY_DSN"),
+        dsn=DJANGO_SENTRY_DSN,
         integrations=[DjangoIntegration(), ],
         release=VERSION,
         environment=os.environ.get("DJANGO_SENTRY_ENVIRONMENT", "unknown")
     )
 
+    # https://docs.sentry.io/error-reporting/security-policy-reporting/
+    CSP_REPORT_URI = (f"https://sentry.io/api/{ DJANGO_SENTRY_DSN.split('/')[3] }/security/?sentry_key={ DJANGO_SENTRY_DSN.split('/')[2].split('@')[0] }",)
+
 # Email settings
 if PRODUCTION:
     DEFAULT_FROM_EMAIL = os.environ.get("DJANGO_DEFAULT_FROM_EMAIL", "info@project-novis.org")

diff --git a/requirements.txt b/requirements.txt
@@ -6,6 +6,7 @@ django-avatar
 django-bootstrap3
 django-cors-headers
 django-crispy-forms
+django-csp
 django-debug-toolbar
 django-filter
 django-oauth-toolkit